Security testing could mean many different things. In this presentation, it’s mainly referring to security functional testing, a type of software testing whose main goal is to make sure security controls in an application are working as expected. For example, if account locking is used to prevent brute­ force attacks, there should be corresponding tests to verify that account locking is working properly.

Sounds simple? But surprisingly, the development processes of many applications don’t include this type of testing. They use static analysis tool to scan the source code, they use dynamic analysis tool to scan the application, but they don’t cover this basic hygiene!

To develop effective security tests, it’s important to have a good understanding of the real threats to the application and let the threats drive the creation of the tests.

In the DevOps world, security functional testing is a perfect security control to integrate with the pipeline and to promote collaboration between Dev and Security.

After attending this presentation attendees should be able to understand:

● The importance of automated security functional testing

● How to use threat modeling to drive the testing

● How to integrate the testing into CI/CD pipeline

● The pitfalls that you need to watch out for

BIOGRAPHY

Yang Yu is a developer turned security engineer at Ping Identity. He is experienced in securing on­ premise and SaaS applications, running a secure SDLC program, and performing information security risk assessments. His current interest is in integrating security with DevOps.